//
Detail Updates Leaderboard
Description

At Uphold, we make it easy to buy and sell any major digital currency. You can invest, transfer or send/receive between many cryptocurrencies, traditional currencies and precious metals. Our digital money app is slick, easy, and secure.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
โ‚ฌ
250
650
1,500
3,500
6,000
Tier 1
โ‚ฌ250 - โ‚ฌ6,000
Tier 2
โ‚ฌ
100
300
750
1,500
3,000
Tier 2
โ‚ฌ100 - โ‚ฌ3,000
Tier 3
โ‚ฌ
0
0
300
750
1,250
Tier 3
Up to โ‚ฌ1,250
Rules of engagement
Required
Not applicable
max. 5 requests /sec
Not applicable

Our promise to you

  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below.

Your promise to us

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us / our users exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)
  • Please do not use automatic scanners - be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's ๐Ÿ˜‰)
Domains
tier
type
1101145849
Tier 1
iOS

Uphold Wallet - iOS application. This is currently installable on Jailbroken devices, please read the out-of-scope findings.

6444005221
Tier 1
iOS

UpHODL - iOS application. This is currently installable on Jailbroken devices, but we don't allow the user to proceed with creating a wallet. Please read the out-of-scope findings.

api-sandbox.uphold.com
URL

Sandbox Web Wallet API. Use this environment for financial transaction testing, degradation attacks, or horizontal privilege attacks. Fund with Crypto Testnet Faucet (e.g. https://coinfaucet.eu/en/btc-testnet/ for Bitcoin).

On the business app side, we allow you to create apps in sandbox, but you shouldn't be able to create them in Production.

More information available here.

Severity assessment

This program follows Intigriti's contextual CVSS standard.

FAQ

Where can we get credentials for the app?

You can self-register on the application but please donโ€™t forget to use your @intigriti.me address. You might need to be whitelisted to perform action on certain parts of the application - please contact us and provide us your @intigriti.me address.

How can I test with funds?

Our Sandbox environment is connected to crypto TestNets, so you can print as much money as you need to test the platform!

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.